NetworkReporter client uvodni commit

* uvodni commit naseho MU klienta * pridani poznamek z posledni porady do wardenWatchdog

NetworkReporter client uvodni commit
dcd33135 · Jakub Cegan · db239e5e · dcd33135
Commit dcd33135 authored 12 years ago by Jakub Cegan
--- a/src/contrib/networkReporter-client/networkReporter.pl
+++ b/src/contrib/networkReporter-client/networkReporter.pl
+#!/usr/bin/perl
+#
+#  networkReporter.pl - Warden client for communication with RT ticketing system
+# 
+#  Copyright (C) 2012 Masaryk University
+#  Author(s): Jakub CEGAN <cegan@ics.muni.cz>
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#
+#   * Redistributions of source code must retain the above copyright notice,
+#     this list of conditions and the following disclaimer.
+#   * Redistributions in binary form must reproduce the above copyright notice,
+#     this list of conditions and the following disclaimer in the documentation
+#     and/or other materials provided with the distribution.
+#   * Neither the name of Masaryk University nor the names of its contributors may be
+#     used to endorse or promote products derived from this software without
+#     specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+#  POSSIBILITY OF SUCH DAMAGE.
+#
+
+use warnings;
+use strict;
+
+use lib '/opt/warden-client';
+use Email::Simple;
+use Sys::Hostname;
+use Text::Wrap;
+use DateTime;
+
+
+sub sendmailWrapper{
+  my $message = shift;
+
+  if(open(my $sendmail, '|/usr/sbin/sendmail -oi -t')){
+    print $sendmail $message;
+    close $sendmail;
+    return 1;
+  } else {
+    return (0, "Sending email failed: $!");
+  }
+}
+
+sub timeToLocal{
+  my $time = shift;
+
+  my ($y,$m,$d,$h,$mm,$s);
+  if(!($$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/)){
+    return (0, "Bad time format!\n");
+  }
+
+  ($y,$m,$d,$h,$mm,$s) = $$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/;
+  eval{
+  my $dt = DateTime->new(
+        year   => $y,
+        month  => $m,
+        day    => $d,
+        hour   => $h,
+        minute => $mm,
+        second => $s,
+        time_zone =>'gmt');
+  $dt->set_time_zone('local');
+  $$time = $dt->strftime('%d. %m. %Y v %H:%M');};
+  if($@){
+    return (0, "Can't convert time to epoch format!\n");
+  }
+  return 1;
+}
+
+#-------------------------------------------------------------------------------
+# reportToRT - fuction for creating tickets in the RT system
+#
+#  param: hash with gateway address and warden event array
+#
+# return: ok || fail
+#-------------------------------------------------------------------------------
+sub reportToRT{
+
+  my $inputData  = shift;
+  my $toGateway  = $$inputData{'gateway'};
+  my @event      = @{$$inputData{'data'}};
+
+  my $fromHostname;
+  my $message;
+  my ($rc, $err);
+
+  if(!($toGateway)){
+    return (0, "Empty 'To' email header!\n");
+  }
+
+  eval{
+    $fromHostname = hostname();
+    if(!($fromHostname =~ m/\.ics\.muni\.cz/gi)){
+      $fromHostname .= '.ics.muni.cz';
+    }
+  };
+  if($@){
+    return (0, "Can't retrive hostname for 'From' header!\n");
+  }
+
+  ($rc, $err) = timeToLocal(\$event[3]);
+  if(!$rc){
+    return (0, $err);
+  }
+
+  my $text = "Dobrý den,
+  z Vaší IP adresy $event[6] jsme zaznamenali $event[3] celkem $event[9] pokus(y) o připojení k neexistující službě (tzv. honeypotu). V tomto konkrétním případě se jednalo o protokol $event[7] a port číslo $event[8]. Je pravděpodobné, že se jedná o virus, napadený počítač či zneužitý uživatelský účet. Doporučujeme Vám zkontrolovat zabezpečení tohoto počitače.
+
+  S pozdravem
+
+  CSIRT-MU
+  http://www.muni.cz/csirt";
+
+  eval{
+  $message = Email::Simple->create(
+    header => [
+      To                    => $toGateway,
+      From                  => 'tools@'.$fromHostname,
+      Subject               => 'Pristup na honeypot v siti CESNET'],
+      body => fill('','',$text));
+  };
+  if($@){
+    return (0, "Can't create email message\n");
+  }
+
+  ($rc, $err) = sendmailWrapper($message->as_string);
+  if(!$rc){
+    return (0, $err);
+  }
+  return 1;
+}
+
+
+my $warden_path = '/opt/warden-client';
+
+require $warden_path . '/lib/WardenClientReceive.pm';
+
+my $requested_type = "portscan";
+my $ip_reg = '147\.251\.\d+\.\d+';
+my $client = 'CESNET_IDS';
+my $gateway = 'rt@rt-devel.ics.muni.cz';
+
+$Text::Wrap::columns = 90;
+
+
+my $logger;
+my @new_events;
+
+@new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type);
+#@new_events = (["5179620","au1.cesnet.cz","CESNET_IDS","2012-11-08 17:04:56","portscan","IP","147.251.216.8","XXX","666","2","","0","720"]);
+foreach (@new_events) {
+  my @event = @$_;
+
+  if(($event[6] =~ /^$ip_reg$/i) and ($event[2] =~ /^$client$/i)){
+    my %input = (gateway => $gateway, data => \@event);
+    my ($rc,$err) = reportToRT(\%input);
+    if(!$rc){
+      #print "ERR: $err\n";
+      syslog("err|Warden client - networkReporter $err\n");
+    }
+  }
+}
+
+exit 0;